Beware advertisers, ZeroAccess botnet surfaces back to life

Microsoft might have only presumed the ZeroAccess botnet dead when it announced in late 2013 that the creators of the botnet had abandoned the click-fraud robot. Microsoft declared the botnet dysfunctional after it secured a court order to halt ZeroAccess.

New research findings from Dell SecureWorks, however, beg to disprove the declaration more than a year after. Researchers discovered recently that the peer-to-peer botnet has begun to spread click-fraud scam over the Web in recent months beginning in March.

Fortunately, there appears to be nothing new in how the botnet perpetrates its malicious activities.

For those who are not familiar still with this botnet, ZeroAccess comprises residual hosts that have been acquired from previous compromises and propagates click-fraud templates to compromised systems. The revived ZeroAccess botnet, according to security experts, is now divided into two separate botnets operating through disparate ports.

The peer-to-peer network uses these compromised systems as nodes which, at certain intervals, receive new templates that contain links for template servers that are controlled by the attacker. Then the malware redirects to a traffic system which brings the botnet to where it was ultimately destined to arrive.

Click-fraud is nothing new to us. In fact, almost every hour ever user of the Internet is being targeted by this malicious activity. Cybercriminals use this technique to finally extract money from unsuspecting users or defraud ad revenue by increasing clicks that do not actually come from legit users, but bots.

Researchers also detected some 55,000 IP addresses that link to the botnet, and most of these addresses source back to Japan, India, Russia, Italy, United States, Brazil, Taiwan, Romania and other countries, indicating that the botnet’s scope remains large enough to worry security. And although the ZeroAccess botnet is not designed to perform fraud on banking institutions, it is still widely known to perpetrate serious damage to computer machines and the advertising industry.

Users who click on search results that have been compromised by this botnet are redirected to web pages that steal personal information, such as Bitcoin credentials.

The fact alone that the ZeroAccess botnet came back to life only confirms the resolve of its botmasters to further their malicious activities. Moreover, it is a clear indication that peer-to-peer networks are becoming increasingly dangerous.

Microsoft’s mistake in 2013 was that it only disrupted the cybercriminals’ click-fraud, malware distribution, and other malicious activities, without destroying the peer-to-peer communication protocol of the ZeroAccess botnet. And so the attackers were able to reconfigure the commands for botnet.